Httpd

Httpd

安装httpd服务

//以下为源码安装

//1.准备工作
[root@localhost ~]# yum -y install wget bzip2 gcc gcc-c++ make pcre-devel expat-devel libxml2-devel

//2.下载源码包
[root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache/httpd/httpd-2.4.46.tar.bz2
[root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-1.7.0.tar.gz
[root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-util-1.6.1.tar.gz
[root@localhost ~]# ls
anaconda-ks.cfg  apr-1.7.0.tar.gz  apr-util-1.6.1.tar.gz  httpd-2.4.46.tar.bz2

//3.安装apr
[root@localhost ~]# tar xf apr-1.7.0.tar.gz 
[root@localhost ~]# cd apr-1.7.0
[root@localhost apr-1.7.0]# vi configure
//注释这一行
#   $RM "$cfgfile"
[root@localhost apr-1.7.0]# ./configure --prefix=/usr/local/apr
[root@localhost apr-1.7.0]# make
[root@localhost apr-1.7.0]# make install

//4.安装apr-util
[root@localhost apr-1.7.0]# cd
[root@localhost ~]# tar xf apr-util-1.6.1.tar.gz 
[root@localhost ~]# cd apr-util-1.6.1
[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
[root@localhost apr-util-1.6.1]# make
[root@localhost apr-util-1.6.1]# make install

//5.安装httpd
[root@localhost apr-util-1.6.1]# cd
[root@localhost ~]# tar xf httpd-2.4.46.tar.bz2 
[root@localhost ~]# cd httpd-2.4.46
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/apache \
--sysconfdir=/etc/httpd24 \
--enable-so \
--enable-ssl \
--enable-cgi \
--enable-rewrite \
--with-zlib \
--with-pcre \
--with-apr=/usr/local/apr \
--with-apr-util=/usr/local/apr-util/ \
--enable-modules=most \
--enable-mpms-shared=all \
--with-mpm=prefork
[root@localhost httpd-2.4.46]# make
[root@localhost httpd-2.4.46]# make install

//6.设置环境变量
[root@localhost ~]# vi /etc/profile.d/httpd.sh
export PATH=$PATH:/usr/local/httpd/bin
[root@localhost ~]# source /etc/profile.d/httpd.sh 

//7.设置头文件链接
[root@localhost ~]# ln -s /usr/local/httpd/include /usr/include/httpd

//8.设置帮助文档(加入以下内容)
[root@localhost ~]# vi /etc/man_db.conf 
MANDATORY_MANPATH                       /usr/local/httpd/man
MANDATORY_MANPATH                       /usr/local/httpd/manual

//9.管理httpd
[root@localhost ~]# apachectl start
[root@localhost ~]# apachectl stop
[root@localhost ~]# apachectl restart

//10.关闭防火墙和SELiunx
[root@localhost ~]# systemctl stop firewalld
[root@localhost ~]# setenforce 0

httpd配置

切换使用MPM

(编辑/etc/httpd/conf.modules.d/00-mpm.conf文件):

[root@localhost ~]# cd /etc/httpd/conf.modules.d/
[root@localhost conf.modules.d]# ls
00-base.conf  00-lua.conf  00-optional.conf  00-systemd.conf  10-h2.conf        README
00-dav.conf   00-mpm.conf  00-proxy.conf     01-cgi.conf      10-proxy_h2.conf
[root@localhost conf.modules.d]# vim 00-mpm.conf
# Select the MPM module which should be used by uncommenting exactly
# one of the following LoadModule lines.  See the httpd.conf(5) man
# page for more information on changing the MPM.

# prefork MPM: Implements a non-threaded, pre-forking web server
# See: http://httpd.apache.org/docs/2.4/mod/prefork.html
#
# NOTE: If enabling prefork, the httpd_graceful_shutdown SELinux
# boolean should be enabled, to allow graceful stop/shutdown.
#
#LoadModule mpm_prefork_module modules/mod_mpm_prefork.so

# worker MPM: Multi-Processing Module implementing a hybrid
# multi-threaded multi-process web server
# See: http://httpd.apache.org/docs/2.4/mod/worker.html
#
#LoadModule mpm_worker_module modules/mod_mpm_worker.so

# event MPM: A variant of the worker MPM with the goal of consuming
# threads only for connections with active processing
# See: http://httpd.apache.org/docs/2.4/mod/event.html
#
LoadModule mpm_event_module modules/mod_mpm_event.so

切换方式:用哪种模式就在相应的那一行取消注释,注意不能同时用两个模式,只能有一个启用。

访问控制法则

法则 功能
Require all granted 允许所有主机访问
Require all deny 拒绝所有主机访问
Require ip IPADDR 授权指定来源地址的主机访问
Require not ip IPADDR 拒绝指定来源地址的主机访问
Require host HOSTNAME 授权指定来源主机名的主机访问
Require not host HOSTNAME 拒绝指定来源主机名的主机访问

默认首页在/var/www/html/index.html

//在/var/www/html中创建一个test文件夹
[root@localhost html]# mkdir test
[root@localhost html]# echo 'haha' > /var/www/html/test/index.html

访问192.168.21.129/test/

1

请问如果想让有些人能访问test,有些人不能访问,应该怎么做呢?

比如192.168.21.1不让访问test:

[root@localhost ~]# vim /etc/httpd/conf/httpd.conf
<Directory "/var/www/html">
    #
    # Possible values for the Options directive are "None", "All",
    # or any combination of:
    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
    #
    # Note that "MultiViews" must be named *explicitly* --- "Options All"
    # doesn't give it to you.
    #
    # The Options directive is both complicated and important.  Please see
    # http://httpd.apache.org/docs/2.4/mod/core.html#options
    # for more information.
    #
    Options Indexes FollowSymLinks

    #
    # AllowOverride controls what directives may be placed in .htaccess files.
    # It can be "All", "None", or any combination of the keywords:
    #   Options FileInfo AuthConfig Limit
    #
    AllowOverride None

    #
    # Controls who can get stuff from this server.
    #
    Require all granted
</Directory>

//在后面加上这个访问控制法则,192.168.21.1为本机地址
<Directory "/var/www/html/test">
    <RequireAll>
        Require not ip 192.168.21.1
        Require all granted
    </RequireAll>
</Directory>
[root@localhost ~]# systemctl restart httpd
[root@localhost html]# curl http://192.168.21.129/test/index.html
haha

2

如果将法则改为192.168.21.129:

[root@localhost html]# vim /etc/httpd/conf/httpd.conf 

<Directory "/var/www/html/test">
    <RequireAll>
        Require not ip 192.168.21.129
        Require all granted
    </RequireAll>
</Directory>

或

<Directory "/var/www/html/test">
        Require ip 192.168.21.1
</Directory>

[root@localhost html]# systemctl restart httpd
[root@localhost html]# curl http://192.168.21.129/test/index.html
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access /test/index.html
on this server.<br />
</p>
</body></html>

则虚拟机无法访问,本机可以访问

3

三种虚拟主机的配置

虚拟主机有三类:

  • 相同IP不同端口

  • 不同IP相同端口

  • 相同IP相同端口不同域名

相同IP不同端口

[root@localhost ~]# hostname
localhost.localdomain
[root@localhost ~]# hostnamectl set-hostname www.example.com
[root@localhost ~]# bash
[root@www ~]# hostname
www.example.com
[root@www ~]# cd /etc/httpd/conf.d
[root@www conf.d]# find / -name *vhosts.conf
/usr/share/doc/httpd/httpd-vhosts.conf
[root@www conf.d]# cp /usr/share/doc/httpd/httpd-vhosts.conf .
[root@www conf.d]# ls
autoindex.conf  httpd-vhosts.conf  README  userdir.conf  welcome.conf
[root@www conf.d]# vim httpd-vhosts.conf
<VirtualHost *:80>
    DocumentRoot "/var/www/html/"
    ServerName www.example.com
    ErrorLog "/var/log/httpd/www.example.com-error_log"
    CustomLog "/var/log/httpd/www.example.com-access_log" common
</VirtualHost>
[root@www conf.d]# systemctl restart httpd

在源码之家上下2个HTML5实例

[root@www ~]# ls
anaconda-ks.cfg  HTML5_Windows10.zip  taikongheidongdonghua.zip
[root@www ~]# unzip HTML5_Windows10.zip taikongheidongdonghua.zip 
[root@www ~]# mv HTML5模仿Windows10桌面代码 win10
[root@www ~]# mv HTML5太空黑洞动画代码 taikong
[root@www ~]# ls
anaconda-ks.cfg  HTML5_Windows10.zip  taikong  taikongheidongdonghua.zip  win10
[root@www ~]# mv taikong win10 /var/www/html/
[root@www ~]# cd /var/www/html/
[root@www html]# ls
index.html  taikong  test  win10
[root@www ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/var/www/html/win10"
    ServerName win10.example.com
    ErrorLog "/var/log/httpd/win10.example.com-error_log"
    CustomLog "/var/log/httpd/win10.example.com-access_log" common
</VirtualHost>

Listen 81
<VirtualHost *:81>
    DocumentRoot "/var/www/html/taikong"
    ServerName taikong.example.com
    ErrorLog "/var/log/httpd/taikong.example.com-error_log"
    CustomLog "/var/log/httpd/taikong.example.com-access_log" common
</VirtualHost>
[root@www ~]# systemctl restart httpd

访问192.168.21.129:80

4

访问192.168.21.129:81

5

不同IP相同端口

[root@www ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf 
<VirtualHost 192.168.21.129:80>
    DocumentRoot "/var/www/html/win10"
    ServerName win10.example.com
    ErrorLog "/var/log/httpd/win10.example.com-error_log"
    CustomLog "/var/log/httpd/win10.example.com-access_log" common
</VirtualHost>

<VirtualHost 192.168.21.250:80>
    DocumentRoot "/var/www/html/taikong"
    ServerName taikong.example.com
    ErrorLog "/var/log/httpd/taikong.example.com-error_log"
    CustomLog "/var/log/httpd/taikong.example.com-access_log" common
</VirtualHost>
[root@www ~]# systemctl restart httpd
[root@www ~]# ip a
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:c8:3e:c8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.21.129/24 brd 192.168.21.255 scope global dynamic noprefixroute ens160
       valid_lft 908sec preferred_lft 908sec
    inet6 fe80::197b:f289:f6a9:5e1d/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
[root@www ~]# ip addr add 192.168.21.250/24 dev ens160
[root@www ~]# ip a
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:c8:3e:c8 brd ff:ff:ff:ff:ff:ff
    inet 192.168.21.129/24 brd 192.168.21.255 scope global dynamic noprefixroute ens160
       valid_lft 1783sec preferred_lft 1783sec
    inet 192.168.21.250/24 scope global secondary ens160
       valid_lft forever preferred_lft forever
    inet6 fe80::197b:f289:f6a9:5e1d/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

访问192.168.21.129

6

访问192.168.21.250

7

相同IP相同端口不同域名

[root@www ~]# vim /etc/httpd/conf.d/httpd-vhosts.conf 
<VirtualHost *:80>
    DocumentRoot "/var/www/html/win10"
    ServerName win10.example.com
    ErrorLog "/var/log/httpd/win10.example.com-error_log"
    CustomLog "/var/log/httpd/win10.example.com-access_log" common
</VirtualHost>

<VirtualHost *:80>
    DocumentRoot "/var/www/html/taikong"
    ServerName taikong.example.com
    ErrorLog "/var/log/httpd/taikong.example.com-error_log"
    CustomLog "/var/log/httpd/taikong.example.com-access_log" common
</VirtualHost>
[root@www ~]# systemctl restart httpd

IP地址映射:

hosts目录

C:\Windows\System32\drivers\etc\hosts

192.168.21.129 win10.example.com taikong.example.com

访问win10.example.com

8

访问taikong.example.com

9

https配置

CA的配置文件:/etc/pki/tls/openssl.cnf

CA生成一对密钥

 [root@www ~]# cd /etc/pki/CA
bash: cd: /etc/pki/CA: No such file or directory
[root@www ~]# mkdir /etc/pki/CA
[root@www ~]# cd /etc/pki/CA
//生成密钥
[root@www CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
genrsa: Can't open "private/cakey.pem" for writing, No such file or directory
[root@www CA]# mkdir private
[root@www CA]# (umask 077;openssl genrsa -out private/cakey.pem 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
.....................................................................................+++++
................................+++++
e is 65537 (0x010001)
[root@www CA]# ls private/
cakey.pem
//提取公钥
[root@www CA]# openssl rsa -in private/cakey.pem -pubout
writing RSA key
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1vk5foqHDeMcPTXJHFeS
ZjICQsb/Af8SJH6351kuG5kL5Axjq1XsUbuM3FZyIwJ7HpV1CQBlfhJJ1ku6EkfU
1wRq+9G+ZE03sONBIpXqUsuTnMw0CDBZWXHFlwzi2iI3PpIVZLNNkk4DiHN3jJVm
ypjclmA0r25SSXdClyP68/63OaeIgg0GZptsulKdTzaxPxDwByE4mGjX4497aFzY
FKEYKDLkUAhK4LJcUoCuLmu3Vj+3hnHl/YvOLKgm9D+I3UO5ATQaIrVEbSWUyoDl
EzvHz/dAf6eUXMN+pcwnJZpuPEkXFdu0oMWvTeu7vI1Dx7uS9ydQjTZvb5UW/vKe
fwIDAQAB
-----END PUBLIC KEY-----

CA生成自签署证书

//生成自签署证书
[root@www CA]# openssl req -new -x509 -key private/cakey.pem -out cacert.pem -days 365
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:yuqinghao
Organizational Unit Name (eg, section) []:xuexi
Common Name (eg, your name or your server's hostname) []:taikong.example.com
Email Address []:1@2.com 
//读出cacert.pem证书的内容
[root@www CA]# openssl x509 -text -in cacert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            59:86:ea:fc:15:3a:a5:05:9c:7f:01:0d:82:6e:ec:b8:6e:47:b8:6e
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = cn, ST = HB, L = WH, O = runtime, OU = peixun, CN = taikong.example.com, emailAddress = 1@2.com
        Validity
            Not Before: Dec 21 14:49:18 2020 GMT
            Not After : Dec 21 14:49:18 2021 GMT
        Subject: C = cn, ST = HB, L = WH, O = runtime, OU = peixun, CN = taikong.example.com, emailAddress = 1@2.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:d6:f9:39:7e:8a:87:0d:e3:1c:3d:35:c9:1c:57:
                    92:66:32:02:42:c6:ff:01:ff:12:24:7e:b7:e7:59:
                    2e:1b:99:0b:e4:0c:63:ab:55:ec:51:bb:8c:dc:56:
                    72:23:02:7b:1e:95:75:09:00:65:7e:12:49:d6:4b:
                    ba:12:47:d4:d7:04:6a:fb:d1:be:64:4d:37:b0:e3:
                    41:22:95:ea:52:cb:93:9c:cc:34:08:30:59:59:71:
                    c5:97:0c:e2:da:22:37:3e:92:15:64:b3:4d:92:4e:
                    03:88:73:77:8c:95:66:ca:98:dc:96:60:34:af:6e:
                    52:49:77:42:97:23:fa:f3:fe:b7:39:a7:88:82:0d:
                    06:66:9b:6c:ba:52:9d:4f:36:b1:3f:10:f0:07:21:
                    38:98:68:d7:e3:8f:7b:68:5c:d8:14:a1:18:28:32:
                    e4:50:08:4a:e0:b2:5c:52:80:ae:2e:6b:b7:56:3f:
                    b7:86:71:e5:fd:8b:ce:2c:a8:26:f4:3f:88:dd:43:
                    b9:01:34:1a:22:b5:44:6d:25:94:ca:80:e5:13:3b:
                    c7:cf:f7:40:7f:a7:94:5c:c3:7e:a5:cc:27:25:9a:
                    6e:3c:49:17:15:db:b4:a0:c5:af:4d:eb:bb:bc:8d:
                    43:c7:bb:92:f7:27:50:8d:36:6f:6f:95:16:fe:f2:
                    9e:7f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                4F:05:D3:F8:A8:3A:D0:A3:86:BF:9B:E8:D6:AA:2B:02:7E:7C:CE:16
            X509v3 Authority Key Identifier: 
                keyid:4F:05:D3:F8:A8:3A:D0:A3:86:BF:9B:E8:D6:AA:2B:02:7E:7C:CE:16

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         83:94:d7:ee:a6:a1:a5:1e:8a:5a:ab:ad:62:31:88:dd:c3:9f:
         3a:59:92:99:d3:b7:f8:ba:91:ea:7d:62:e1:7b:53:de:28:2b:
         53:77:0d:fe:68:26:62:53:77:fe:2a:6e:42:de:a7:ef:d1:99:
         e0:89:a6:f6:4d:73:11:d9:f1:e0:3a:9a:e6:a2:af:14:70:f2:
         98:bc:ab:7c:77:11:0a:1d:5a:5a:ab:cc:9b:0a:51:9f:8f:8c:
         dd:20:0a:86:85:31:d4:6f:74:ed:c5:f7:d6:7f:1d:5e:ec:01:
         c1:e9:e9:bd:d2:e6:da:42:3c:c7:df:14:6a:41:c1:73:dc:93:
         79:cb:95:bf:48:76:58:20:f9:99:5f:58:4a:41:3e:b6:58:08:
         b1:68:b2:44:78:0c:da:1b:9f:a2:61:78:5b:14:0d:73:90:0c:
         56:ce:2b:90:97:11:1c:e9:b9:7d:4c:57:8e:dc:ba:bd:8d:91:
         3b:b3:0c:1c:6c:38:e3:6d:3d:8f:c3:9d:40:a8:67:f1:d4:98:
         a4:c1:1e:94:ea:38:34:ce:2f:15:99:ee:e0:e5:45:97:6a:43:
         ca:6c:27:f8:13:e6:c4:a7:59:d8:ce:2e:90:4b:df:5b:6a:5d:
         de:9f:3c:3f:42:08:69:84:b9:43:1e:ef:d5:80:f4:14:9d:29:
         14:2e:a7:30
-----BEGIN CERTIFICATE-----
MIID4zCCAsugAwIBAgIUWYbq/BU6pQWcfwENgm7suG5HuG4wDQYJKoZIhvcNAQEL
BQAwgYAxCzAJBgNVBAYTAmNuMQswCQYDVQQIDAJIQjELMAkGA1UEBwwCV0gxEDAO
BgNVBAoMB3J1bnRpbWUxDzANBgNVBAsMBnBlaXh1bjEcMBoGA1UEAwwTdGFpa29u
Zy5leGFtcGxlLmNvbTEWMBQGCSqGSIb3DQEJARYHMUAyLmNvbTAeFw0yMDEyMjEx
NDQ5MThaFw0yMTEyMjExNDQ5MThaMIGAMQswCQYDVQQGEwJjbjELMAkGA1UECAwC
SEIxCzAJBgNVBAcMAldIMRAwDgYDVQQKDAdydW50aW1lMQ8wDQYDVQQLDAZwZWl4
dW4xHDAaBgNVBAMME3RhaWtvbmcuZXhhbXBsZS5jb20xFjAUBgkqhkiG9w0BCQEW
BzFAMi5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDW+Tl+iocN
4xw9NckcV5JmMgJCxv8B/xIkfrfnWS4bmQvkDGOrVexRu4zcVnIjAnselXUJAGV+
EknWS7oSR9TXBGr70b5kTTew40EilepSy5OczDQIMFlZccWXDOLaIjc+khVks02S
TgOIc3eMlWbKmNyWYDSvblJJd0KXI/rz/rc5p4iCDQZmm2y6Up1PNrE/EPAHITiY
aNfjj3toXNgUoRgoMuRQCErgslxSgK4ua7dWP7eGceX9i84sqCb0P4jdQ7kBNBoi
tURtJZTKgOUTO8fP90B/p5Rcw36lzCclmm48SRcV27Sgxa9N67u8jUPHu5L3J1CN
Nm9vlRb+8p5/AgMBAAGjUzBRMB0GA1UdDgQWBBRPBdP4qDrQo4a/m+jWqisCfnzO
FjAfBgNVHSMEGDAWgBRPBdP4qDrQo4a/m+jWqisCfnzOFjAPBgNVHRMBAf8EBTAD
AQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCDlNfupqGlHopaq61iMYjdw586WZKZ07f4
upHqfWLhe1PeKCtTdw3+aCZiU3f+Km5C3qfv0Zngiab2TXMR2fHgOprmoq8UcPKY
vKt8dxEKHVpaq8ybClGfj4zdIAqGhTHUb3TtxffWfx1e7AHB6em90ubaQjzH3xRq
QcFz3JN5y5W/SHZYIPmZX1hKQT62WAixaLJEeAzaG5+iYXhbFA1zkAxWziuQlxEc
6bl9TFeO3Lq9jZE7swwcbDjjbT2Pw51AqGfx1JikwR6U6jg0zi8Vme7g5UWXakPK
bCf4E+bEp1nYzi6QS99bal3enzw/QghphLlDHu/VgPQUnSkULqcw
-----END CERTIFICATE-----
[root@www CA]# mkdir certs newcerts crl
[root@www CA]# touch index.txt && echo 01 > serial
[root@www CA]# ls
cacert.pem  certs  crl  index.txt  newcerts  private  serial

客户端(例如httpd服务器)生成密钥

[root@www CA]# cd /etc/httpd && mkdir ssl && cd ssl
[root@www ssl]# (umask 077;openssl genrsa -out httpd.key 2048)
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
..........................+++++
e is 65537 (0x010001)

客户端生成证书签署请求

[root@www ssl]# openssl req -new -key httpd.key -days 365 -out httpd.csr
Ignoring -days; not generating a certificate
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:cn     
State or Province Name (full name) []:HB
Locality Name (eg, city) [Default City]:WH
Organization Name (eg, company) [Default Company Ltd]:yuqinghao
Organizational Unit Name (eg, section) []:xuexi
Common Name (eg, your name or your server's hostname) []:taikong.example.com  
Email Address []:1@2.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

CA签署客户端提交上来的证书

[root@www ssl]# openssl ca -in ./httpd.csr -out httpd.crt -days 365
Using configuration from /etc/pki/tls/openssl.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 1 (0x1)
        Validity
            Not Before: Dec 21 15:15:55 2020 GMT
            Not After : Dec 21 15:15:55 2021 GMT
        Subject:
            countryName               = cn
            stateOrProvinceName       = HB
            organizationName          = yuqinghao
            organizationalUnitName    = xuexi
            commonName                = taikong.example.com
            emailAddress              = 1@2.com
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Comment: 
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier: 
                F2:02:61:22:44:F9:AC:3E:61:2D:27:CF:2A:AE:E5:37:95:2B:FD:6A
            X509v3 Authority Key Identifier: 
                keyid:4F:05:D3:F8:A8:3A:D0:A3:86:BF:9B:E8:D6:AA:2B:02:7E:7C:CE:16

Certificate is to be certified until Dec 21 15:15:55 2021 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated

修改配置文件

[root@www ~]# yum -y install mod_ssl
[root@www ~]# vim /etc/httpd/conf.d/ssl.conf 
<VirtualHost _default_:443>

# General setup for the virtual host, inherited from global 
//取消注释修改为taikong
configurationDocumentRoot "/var/www/html/taikong/"
ServerName taikong.example.com:443

#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that restarting httpd will prompt again.  Keep
#   in mind that if you have both an RSA and a DSA certificate you
#   can configure both in parallel (to also allow the use of DSA
#   ciphers, etc.)
#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
#   require an ECC certificate which can also be configured in
#   parallel.
//修改为刚刚生成证书的位置
SSLCertificateFile /etc/httpd/ssl/httpd.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
#   ECC keys, when in use, can also be configured in parallel
//修改为刚刚生成私钥的位置
SSLCertificateKeyFile /etc/httpd/ssl/httpd.key

[root@www ~]# systemctl restart httpd
[root@www ~]# ss -antl
State     Recv-Q     Send-Q         Local Address:Port         Peer Address:Port    
LISTEN    0          128                  0.0.0.0:22                0.0.0.0:*   
LISTEN    0          128                     [::]:22                   [::]:*   
LISTEN    0          128                        *:443                     *:*   
LISTEN    0          128                        *:80                      *:*   

访问https://taikong.example.com

10

高级-接受风险并继续

11

访问https://win10.example.com

12

以下是一步一步安装httpd时可能会遇到的错误及解决的方式

//下载源码包
[root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache/httpd/httpd-2.4.46.tar.bz2
[root@localhost ~]# ls
anaconda-ks.cfg  httpd-2.4.46.tar.bz2

//解压并进入
[root@localhost ~]# tar xf httpd-2.4.46.tar.bz2 
[root@localhost ~]# ls
anaconda-ks.cfg  httpd-2.4.46  httpd-2.4.46.tar.bz2
[root@localhost ~]# cd httpd-2.4.46
[root@localhost httpd-2.4.46]# ls
ABOUT_APACHE     BuildBin.dsp    emacs-style     LAYOUT        NOTICE            srclib
acinclude.m4     buildconf       httpd.dep       libhttpd.dep  NWGNUmakefile     support
Apache-apr2.dsw  CHANGES         httpd.dsp       libhttpd.dsp  os                test
Apache.dsw       CMakeLists.txt  httpd.mak       libhttpd.mak  README            VERSIONING
apache_probes.d  config.layout   httpd.spec      LICENSE       README.cmake
ap.d             configure       include         Makefile.in   README.platforms
build            configure.in    INSTALL         Makefile.win  ROADMAP
BuildAll.dsp     docs            InstallBin.dsp  modules       server

//尝试安装httpd
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd
checking for APR... no
configure: error: APR not found.  Please read the documentation.

//解决apr not found问题
//(需要安装apr)
[root@localhost httpd-2.4.46]# cd
[root@localhost ~]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-1.7.0.tar.gz
[root@localhost ~]# tar xf apr-1.7.0.tar.gz 
[root@localhost ~]# cd apr-1.7.0
[root@localhost apr-1.7.0]# ls
apr-config.in  build.conf        dso         libapr.rc     NOTICE         support
apr.dep        buildconf         emacs-mode  LICENSE       NWGNUmakefile  tables
apr.dsp        build-outputs.mk  encoding    locks         passwd         test
apr.dsw        CHANGES           file_io     Makefile.in   poll           threadproc
apr.mak        CMakeLists.txt    helpers     Makefile.win  random         time
apr.pc.in      config.layout     include     memory        README         tools
apr.spec       configure         libapr.dep  misc          README.cmake   user
atomic         configure.in      libapr.dsp  mmap          shmem
build          docs              libapr.mak  network_io    strings
[root@localhost apr-1.7.0]# ./configure --prefix=/usr/local/apr
[root@localhost apr-1.7.0]# echo $?
0
[root@localhost apr-1.7.0]# make
[root@localhost apr-1.7.0]# echo $?
0
[root@localhost apr-1.7.0]# make install
[root@localhost apr-1.7.0]# echo $?
0

//再尝试安装apache
[root@localhost apr-1.7.0]# cd
[root@localhost ~]# cd httpd-2.4.46
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd
checking for APR-util... no
configure: error: APR-util not found.  Please read the documentation.

//解决APR-util not found问题
//(需要安装apr-util)
[root@localhost httpd-2.4.46]# cd
[root@localhost apr-util-1.6.1]# wget https://mirrors.tuna.tsinghua.edu.cn/apache//apr/apr-util-1.6.1.tar.gz
[root@localhost ~]# tar xf apr-util-1.6.1.tar.gz 
[root@localhost ~]# cd apr-util-1.6.1
[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util
configure: error: APR could not be located. Please use the --with-apr option.

//解决APR could not be located问题
//(安装apr-util时需要使用--with-apr=PATH)
[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
[root@localhost apr-util-1.6.1]# make
xml/apr_xml.c:35:10: fatal error: expat.h: No such file or directory

//解决缺少expat库问题
//(需要安装expat-devel)
[root@localhost apr-util-1.6.1]# yum -y install expat-devel
[root@localhost apr-util-1.6.1]# echo $?
[root@localhost apr-util-1.6.1]# 0
[root@localhost apr-util-1.6.1]# make install
[root@localhost apr-util-1.6.1]# echo $?
[root@localhost apr-util-1.6.1]# 0

//再尝试安装httpd
[root@localhost apr-util-1.6.1]# cd
[root@localhost ~]# cd httpd-2.4.46
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd
checking for APR-util... no
configure: error: APR-util not found.  Please read the documentation.

//解决APR-util还是not found问题
//(安装httpd时需要使用--with-apr=PATH --with-apr-util=PATH)
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util
configure: error: pcre-config for libpcre not found. PCRE is required and available from http://pcre.org/

//解决pcre not found问题
//(需要安装pcre-devel)
[root@localhost httpd-2.4.46]# yum -y install pcre-devel

//再尝试安装httpd
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util
configure: summary of build options:
    Server Version: 2.4.46
    Install prefix: /usr/local/httpd
    C compiler:     gcc
    CFLAGS:          -g -O2 -pthread  
    CPPFLAGS:        -DLINUX -D_REENTRANT -D_GNU_SOURCE  
    LDFLAGS:           
    LIBS:             
    C preprocessor: gcc -E
[root@localhost httpd-2.4.46]# echo $?
0
[root@localhost httpd-2.4.46]# make
collect2: error: ld returned 1 exit status
make[2]: *** [Makefile:48: htpasswd] Error 1
make[2]: Leaving directory '/root/httpd-2.4.46/support'
make[1]: *** [/root/httpd-2.4.46/build/rules.mk:75: all-recursive] Error 1
make[1]: Leaving directory '/root/httpd-2.4.46/support'
make: *** [/root/httpd-2.4.46/build/rules.mk:75: all-recursive] Error 1
[root@localhost httpd-2.4.46]# echo $?
2

//缺少了xml相关的库,需要安装libxml2-devel包。直接安装并不能解决问题,因为httpd调用的apr-util已经安装好了,但是apr-util并没有libxml2-devel包支持。
//(需要安装libxml2-devel)
[root@localhost httpd-2.4.46]# yum -y install libxml2-devel

//删除apr-util安装目录,并重新编译安装
[root@localhost httpd-2.4.46]# rm -rf /usr/local/apr-util/
[root@localhost httpd-2.4.46]# cd
[root@localhost ~]# cd apr-util-1.6.1

//清除之前配置时的缓存
[root@localhost apr-util-1.6.1]# make clean

//重新安装apr-util
[root@localhost apr-util-1.6.1]# ./configure --prefix=/usr/local/apr-util --with-apr=/usr/local/apr
[root@localhost apr-util-1.6.1]# echo $?
0
[root@localhost apr-util-1.6.1]# make
[root@localhost apr-util-1.6.1]# echo $?
0
[root@localhost apr-util-1.6.1]# make install
[root@localhost apr-util-1.6.1]# echo $?
0

//重新编译安装httpd
[root@localhost apr-util-1.6.1]# cd
[root@localhost ~]# cd httpd-2.4.46
[root@localhost httpd-2.4.46]# make clean
[root@localhost httpd-2.4.46]# ./configure --prefix=/usr/local/httpd  --with-apr=/usr/local/apr --with-apr-util=/usr/local/apr-util
configure: summary of build options:
    Server Version: 2.4.46
    Install prefix: /usr/local/httpd
    C compiler:     gcc
    CFLAGS:          -g -O2 -pthread  
    CPPFLAGS:        -DLINUX -D_REENTRANT -D_GNU_SOURCE  
    LDFLAGS:           
    LIBS:             
    C preprocessor: gcc -E
[root@localhost httpd-2.4.46]# echo $?
0
[root@localhost httpd-2.4.46]# make
[root@localhost httpd-2.4.46]# echo $?
0
[root@localhost httpd-2.4.46]# make install
[root@localhost httpd-2.4.46]# echo $?
0

//关闭防火墙修改配置文件并重启服务
[root@localhost httpd-2.4.46]# systemctl stop firewalld
[root@localhost httpd-2.4.46]# setenforce 0
[root@localhost httpd-2.4.46]# getenforce 
Permissive
[root@localhost httpd-2.4.46]# /usr/local/httpd/bin/apachectl start
[root@localhost httpd-2.4.46]# vi /usr/local/httpd/conf/httpd.conf 
ServerName localhost:80
[root@localhost httpd-2.4.46]# /usr/local/httpd/bin/apachectl restart

//设置环境变量
[root@localhost httpd-2.4.46]# cd
[root@localhost ~]# vi /etc/profile.d/apache.sh
export PATH=$PATH:/usr/local/httpd/bin/
[root@localhost ~]# source /etc/profile.d/apache.sh

//设置头文件链接
[root@localhost ~]# ln -s /usr/local/httpd/include/ /usr/include/httpd

//设置帮助文档(加入以下内容)
[root@localhost man]# vi /etc/man_db.conf
MANDATORY_MANPATH                       /usr/local/httpd/man
MANDATORY_MANPATH                       /usr/local/httpd/manual

//测试httpd服务
[root@localhost man]# cd
[root@localhost ~]# apachectl stop
[root@localhost ~]# ss -antl
State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port 
LISTEN      0           128                    0.0.0.0:22                    0.0.0.0:*   
LISTEN      0           128                       [::]:22                       [::]:*   
[root@localhost ~]# apachectl start
[root@localhost ~]# ss -antl
State       Recv-Q      Send-Q           Local Address:Port             Peer Address:Port 
LISTEN      0           128                    0.0.0.0:22                    0.0.0.0:*   
LISTEN      0           128                          *:80                          *:*   
LISTEN      0           128                       [::]:22                       [::]:*  
[root@localhost ~]# ip a
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:f9:ec:35 brd ff:ff:ff:ff:ff:ff
    inet 192.168.237.128/24 brd 192.168.237.255 scope global dynamic noprefixroute ens160
       valid_lft 1649sec preferred_lft 1649sec
    inet6 fe80::96da:6b44:5ce1:8588/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

测试成功

apache

posted @ 2020-12-15 10:24  Serein)  阅读(901)  评论(0编辑  收藏  举报